SEBI's latest update to its Cybersecurity and Cyber Resilience Framework (CSCRF) is shaking up the rules for Regulated Entities (REs) particularly with its strong stance on Third-Party Risk Management (TPRM). The message from SEBI is loud and clear: outsourcing doesn't absolve REs of responsibility. Even when third-party service providers are in the mix, the accountability for cybersecurity ultimately lies with the REs.

Accountability at the Forefront

At the heart of SEBI's new guidelines is a reinforced focus on accountability. REs are now fully responsible for any cybersecurity breaches or issues that may arise from functions they outsource. This isn't just a matter of legal formality it's about ensuring that no weak links are left in the chain, especially when external vendors are involved. SEBI is making it clear that the defense of sensitive information and critical systems must be watertight, regardless of who is handling the data.

Due Diligence as a Must

To support this shift, SEBI has laid down strict requirements for due diligence before engaging with third-party providers. REs are now expected to perform comprehensive background checks on any third-party vendor they plan to work with. This means going beyond the basics and ensuring that these vendors have a solid track record when it comes to cybersecurity.

Moreover, Non-Disclosure Agreements (NDAs) have become a non-negotiable part of the process. These agreements are crucial for protecting sensitive information from unauthorized access or leaks. But SEBI doesn't stop there it also requires that third-party providers obtain cyber audit certifications. These certifications serve as proof that the providers are equipped to meet the high standards of cybersecurity that SEBI demands.

Addressing Supply Chain Risks

SEBI's updated framework also places significant emphasis on managing supply chain risks. REs must now take a proactive approach in identifying and assessing risks associated with their third-party partners. This involves scrutinizing not just the vendors themselves but also the potential vulnerabilities they could introduce into the system.

To ensure that these risks are adequately managed, SEBI has mandated that contracts with third-party providers must include clauses that explicitly require compliance with the RE's cybersecurity policies. These contractual obligations are vital in maintaining a consistent security posture across all aspects of the RE's operations.

Concentration Risk Under Scrutiny

Another critical area SEBI has addressed is concentration risk. This risk becomes significant when multiple REs rely on the same third-party provider. If that provider is compromised, it could lead to widespread vulnerabilities across several entities. SEBI is keenly aware of this and is pushing REs to implement additional cybersecurity controls to mitigate such risks.

Independent audits of these third-party providers are now being strongly encouraged. These audits provide an additional layer of security, ensuring that the third-party providers are not just compliant but also resilient against potential cyber threats.

Continuous Monitoring for Compliance

The final pillar of SEBI's updated framework is the emphasis on continuous monitoring. SEBI expects REs to maintain a vigilant watch over their third-party providers. This includes regular reviews and audits of the provider's activities to ensure that they continue to meet the required cybersecurity standards.

This proactive approach is designed to keep REs one step ahead of potential threats. By staying alert and conducting periodic assessments, REs can identify and address security gaps before they become significant issues.

The Bottom Line

SEBI's new guidelines are a clear wake-up call for Regulated Entities. Outsourcing might help streamline operations, but when it comes to cybersecurity, there's no passing the buck. The onus is on REs to ensure that their third-party providers are up to the task and that their systems are secure from every angle. SEBI's framework doesn't just set the barit raises it, ensuring that REs are fully equipped to handle the complexities of today's cybersecurity landscape.